Set Up WireGuard VPN on Ubuntu 18.04

Server Installation

wget https://raw.githubusercontent.com/complexorganizations/wireguard-install/master/wireguard-server.sh -P /etc/wireguard/
bash /etc/wireguard/wireguard-server.sh

Client Installation

wget https://raw.githubusercontent.com/complexorganizations/wireguard-install/master/wireguard-client.sh -P /etc/wireguard/
bash /etc/wireguard/wireguard-client.sh

Or

apt-get update
apt-get install software-properties-common -y
add-apt-repository ppa:wireguard/wireguard -y
apt-get update
apt-get install linux-headers-"$(uname -r)" -y
apt-get install wireguard qrencode haveged resolvconf -y

Run Client

# Install the config file to the WireGuard configuration directory on your
# Linux client:
sudo install -o root -g root -m 600 <username>.conf /etc/wireguard/wg0.conf

# Start the WireGuard VPN:
sudo systemctl start wg-quick@wg0

# Check that it started properly:
sudo systemctl status wg-quick@wg0

# Verify the connection to the AlgoVPN:
sudo wg

# See that your client is using the IP address of your AlgoVPN:
curl ipv4.icanhazip.com

# Optionally configure the connection to come up at boot time:
sudo systemctl enable wg-quick@wg0

References
https://github.com/complexorganizations/wireguard-install
https://trailofbits.github.io/algo/client-linux-wireguard.html

Install Shadowsocks with v2ray-plugin

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y && sudo apt-get clean && sudo apt-get install build-essential haveged -y
## Ubuntu 18.04/16.04 or Debian 9
wget -O ubuntu-ss-install.sh https://github.com/M3chD09/shadowsocks-with-v2ray-plugin-install/raw/master/ubuntu-ss-install.sh
chmod +x ubuntu-ss-install.sh
./ubuntu-ss-install.sh
# Manage shadowsocks with systemctl
systemctl status shadowsocks
systemctl start shadowsocks
systemctl stop shadowsocks
nano /etc/shadowsocks-libev/config.json
{
    "server":"0.0.0.0",
    "server_port":80,
    "password":"PASSWORD",
    "timeout":300,
    "user":"nobody",
    "method":"aes-256-gcm",
    "nameserver": "8.8.8.8",
    "fast_open":true,
    "reuse_port":true,
    "no_delay":true,
    "plugin":"/etc/shadowsocks-libev/",
    "plugin_opts":"server"
}

References
https://github.com/M3chD09/shadowsocks-with-v2ray-plugin-install
https://gist.github.com/rampageX/134fa08a547d4b1eabd754c279b12676

Run a Tor Bridge on Ubuntu

RunAsDaemon 1
BridgeRelay 1
ORPort 16001
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:16002
ExtORPort auto
ContactInfo example@gmail.com
Nickname yourNickname
PublishServerDescriptor 0

References
https://community.torproject.org/relay/setup/bridge/debian-ubuntu/
https://scottlinux.com/2016/01/16/how-to-run-a-tor-bridge-on-linux/
https://tails.boum.org/doc/first_steps/startup_options/bridge_mode/index.en.html

Configure Multiple Users for Shadowsocks-libev

For example, Cloud and Tifa, two AVALANCHE members, are planning to deploy shadowsocks-libev services on the same VPS to bypass the firewall of Shinra Inc. In this case, they could simply create cloud.json and tifa.json configurations with different ports, passwords and encryption methods in /etc/shadowsocks-libev directory. Then enable and start the systemd services using the following commands:

sudo systemctl enable shadowsocks-libev-server@cloud.service --now
sudo systemctl enable shadowsocks-libev-server@tifa.service --now

The status of shadowsocks-libev instances could be checked with the following commands:

sudo systemctl status shadowsocks-libev-server@cloud.service
sudo systemctl status shadowsocks-libev-server@tifa.service

You can start shadowsocks-libev instances with the following commands:

sudo systemctl start shadowsocks-libev-server@cloud.service
sudo systemctl start shadowsocks-libev-server@tifa.service

References
https://blog.zzhou612.com/2019/02/15/configure-multiple-users-for-shadowsocks-libev/

Softether on VPS Using Local Bridge

Local bridge Setup

VPN Server IP: 192.168.7.1

VPN Client IP Range: 192.168.7.50-192.168.7.60

Tap Device name: tap_soft

ifconfig tap_soft
apt-get install dnsmasq
nano /etc/dnsmasq.conf
interface=tap_soft
dhcp-range=tap_soft,192.168.7.50,192.168.7.60,12h
dhcp-option=tap_soft,3,192.168.7.1

config tap

ifconfig tap_soft 192.168.7.1

Add this file to /etc/sysctl.d/to enable ipv4 forwarding

/etc/sysctl.d/ipv4_forwarding.conf

Wih this content

net.ipv4.ip_forward = 1
sysctl --system

Then we add a POSTROUTING rule to iptables

iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [YOUR VPS IP ADDRESS]
# /etc/init.d/vpnserver restart
# /etc/init.d/dnsmasq restart

 

References
http://blog.lincoln.hk/blog/2013/05/17/softether-on-vps-using-local-bridge/

How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04

sudo apt-get install strongswan strongswan-plugin-eap-mschapv2 moreutils

Creating a Certificate Authority

mkdir vpn-certs
cd vpn-certs
ipsec pki --gen --type rsa --size 4096 --outform pem > server-root-key.pem
chmod 600 server-root-key.pem
ipsec pki --self --ca --lifetime 3650 \
--in server-root-key.pem \
--type rsa --dn "C=US, O=VPN Server, CN=VPN Server Root CA" \
--outform pem > server-root-ca.pem

Generating a Certificate for the VPN Server

ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-server-key.pem
ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert server-root-ca.pem \
--cakey server-root-key.pem \
--dn "C=US, O=VPN Server, CN=server_name_or_ip" \
--san server_name_or_ip \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem
sudo cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem
sudo cp ./vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem
sudo chown root /etc/ipsec.d/private/vpn-server-key.pem
sudo chgrp root /etc/ipsec.d/private/vpn-server-key.pem
sudo chmod 600 /etc/ipsec.d/private/vpn-server-key.pem

Configuring StrongSwan

sudo cp /etc/ipsec.conf /etc/ipsec.conf.original
echo '' | sudo tee /etc/ipsec.conf
sudo nano /etc/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

Configuring VPN Authentication

sudo nano /etc/ipsec.secrets
server_name_or_ip : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
your_username %any% : EAP "your_password"
sudo ipsec reload

Configuring the Firewall & Kernel IP Forwarding

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p udp --dport  500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.10.10.10/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.10/24 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.10.10.10/24 -o eth0 -j MASQUERADE
sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.10/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
sudo nano /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0


net.ipv4.ip_no_pmtu_disc = 1
sudo reboot

Restart if required

systemctl restart strongswan

References

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
https://www.howtoforge.com/tutorial/how-to-setup-ikev2-vpn-using-strongswan-and-letsencrypt-on-centos-7/
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

Run SoftEther VPN Client on Linux

sudo vpnclient start

Run SoftEther VPN Client Manager and configure it, then connect

sudo dhclient vpn_vpn
sudo ip route add 160.235.81.120/32 via 192.168.1.1 dev wlp3s0
sudo ip route del default via 192.168.1.1 dev wlp3s0

Then change the dns in resolv.conf